FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 10-01-2010, 01:00 PM
Tim Waugh
 
Default Firewall settings unworkable

There are several protocols used for discovery of network services that
currently cannot be made to work on Fedora simply due to the restrictive
firewall we use by default.

For example, a broadcast SNMP query to discover network printers is sent
as a UDP packet from an unprivileged local port to SNMP port of the
broadcast address. Network printers respond by sending a UDP packet in
response, from the SNMP port back to the local unprivileged port.

The default firewall drops these packets. However, there is no "canned"
firewall setting to allow these packets in. No checkbox or on/off
switch will do it except "Disable Firewall".

In system-config-printer I try to get it to modify the firewall to allow
in the various network query responses that we expect, but I find it
cannot be done for SNMP or NetBIOS (which works in a similar way).

There is an open bug against the kernel for general broadcast query
response tracking:
https://bugzilla.redhat.com/show_bug.cgi?id=538675

In the mean time, I'm left wondering whether I ought to teach
system-config-printer how to temporarily insert a rule to allow in all
UDP packets from source port SNMP and with destination port > 1024...

Until then people will end up just turning off their firewalls
altogether in order to get things to work.

Tim.
*/

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-01-2010, 01:23 PM
Tomasz Torcz
 
Default Firewall settings unworkable

On Fri, Oct 01, 2010 at 02:00:46PM +0100, Tim Waugh wrote:
> There are several protocols used for discovery of network services that
> currently cannot be made to work on Fedora simply due to the restrictive
> firewall we use by default.
>
> For example, a broadcast SNMP query to discover network printers is sent
> as a UDP packet from an unprivileged local port to SNMP port of the
> broadcast address. Network printers respond by sending a UDP packet in
> response, from the SNMP port back to the local unprivileged port.
>

ZeroConf discovery (port 5353) is denied by default also


--
Tomasz Torcz To co nierealne -- tutaj jest normalne.
xmpp: zdzichubg@chrome.pl Ziomale na życie mają tu patenty specjalne.

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-01-2010, 02:07 PM
David Howells
 
Default Firewall settings unworkable

The following works for UDP too:

-A INCOMING -m state --state RELATED,ESTABLISHED -j ACCEPT

Leastways, I can do AFS through my firewall with it.

David
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-01-2010, 02:13 PM
Tim Waugh
 
Default Firewall settings unworkable

On Fri, 2010-10-01 at 15:23 +0200, Tomasz Torcz wrote:
> ZeroConf discovery (port 5353) is denied by default also

But that can be enabled with a single checkbox ("Multicast DNS (mDNS)"),
and that can also be done programmatically using
system-config-firewall's D-Bus interface, such as it is. In fact,
system-config-printer does just that.

Tim.
*/

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-01-2010, 02:15 PM
Tim Waugh
 
Default Firewall settings unworkable

On Fri, 2010-10-01 at 15:07 +0100, David Howells wrote:
> The following works for UDP too:
>
> -A INCOMING -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> Leastways, I can do AFS through my firewall with it.

Does that work for unicast replies to broadcast queries though?

e.g.

IP 10.1.1.8.33353 > 10.1.1.255.snmp: GetRequest(28)
.1.3.6.1.2.1.25.3.2.1.2.1

IP 10.1.1.7.snmp > 10.1.1.8.33353: GetResponse(37)
.1.3.6.1.2.1.25.3.2.1.2.1=.1.3.6.1.2.1.25.3.1.5

Tim.
*/

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-01-2010, 02:19 PM
David Howells
 
Default Firewall settings unworkable

Tim Waugh <twaugh@redhat.com> wrote:

> Does that work for unicast replies to broadcast queries though?

Good question; I don't know. netfilter@vger.kernel.org is probably the place
to ask.

David
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-01-2010, 02:37 PM
Tim Waugh
 
Default Firewall settings unworkable

On Fri, 2010-10-01 at 15:19 +0100, David Howells wrote:
> Good question; I don't know. netfilter@vger.kernel.org is probably the place
> to ask.

I did ask about this issue on netfilter, last year (look for "SNMP
conntrack module a la netbios_ns", Dec 4th 2009).

That's where the idea for a general broadcast query response tracking
module came from.

Tim.
*/

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-01-2010, 08:36 PM
"Richard W.M. Jones"
 
Default Firewall settings unworkable

On Fri, Oct 01, 2010 at 02:00:46PM +0100, Tim Waugh wrote:
> In system-config-printer I try to get it to modify the firewall to allow
> in the various network query responses that we expect, [...]

I should note, although it's not your fault, that this breaks
libvirt networking.

libvirt needs to add its own firewall rules too, and restarting the
firewall breaks these rules until you restart the libvirt network and
all your VMs.

The root problem here is that our firewall rules aren't composable.
As you can tell by the bug #, this issue has been around for quite a
long time ...

https://bugzilla.redhat.com/show_bug.cgi?id=227011

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-02-2010, 12:17 AM
"Dennis J."
 
Default Firewall settings unworkable

On 10/01/2010 10:36 PM, Richard W.M. Jones wrote:
> On Fri, Oct 01, 2010 at 02:00:46PM +0100, Tim Waugh wrote:
>> In system-config-printer I try to get it to modify the firewall to allow
>> in the various network query responses that we expect, [...]
>
> I should note, although it's not your fault, that this breaks
> libvirt networking.
>
> libvirt needs to add its own firewall rules too, and restarting the
> firewall breaks these rules until you restart the libvirt network and
> all your VMs.
>
> The root problem here is that our firewall rules aren't composable.
> As you can tell by the bug #, this issue has been around for quite a
> long time ...
>
> https://bugzilla.redhat.com/show_bug.cgi?id=227011

I'm wondering what the actual requirements are in order to make it possible
for a service to add rules to the firewall. The discussion in the bug mixes
general requirements for such a feature with current iptables limitations
which makes it difficult to understand the problem fully.

In a first step it would probably be best to create a layer on top of
iptables that manages the addition and removal of rules that can be
independently configured. That way you don't have to find quirky hacks for
iptables. "service iptables save" for would then call the save function of
that management layer which in turn could save the iptables rules to a
temporary file, filter out the service rules and then save the
standard/global/default rules in /etc/sysconfig/iptables and the service
rules it filterd out into /etc/sysconfig/iptables.d/<service>. When loading
the whole thing is executed in reverse.

Once workable semantics are found for such a management layer the second
step could be to move these features into iptables itself if possible.

Regards,
Dennis
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-02-2010, 08:53 AM
"Richard W.M. Jones"
 
Default Firewall settings unworkable

On Sat, Oct 02, 2010 at 02:17:49AM +0200, Dennis J. wrote:
[...]

I asked Dan Berrange to join this thread since he's most knowledgable
about the exact problem and requirements from the libvirt side.

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 09:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org